Ivanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

In May 24, 2024, Zero-Day Initiative released a security advisory for Ivanti EPM which was associated with SQL injection Remote code execution vulnerability.

This vulnerability was assigned with CVE-2024-29824 and the severity was given as 9.6 (Critical).

Though ZDI did not mention any additional information regarding this critical vulnerability, they specified a function name that affected Ivanti EPM which was “RecordGoodApp”.

However, a proof-of-concept for this vulnerability has been published by Horizon3 researchers.

Technical Analysis – Proof Of Concept

According to the reports shared with Cyber Security News, this RecordGoodApp function existed in the PatchBiz.dll file present in the installation folder.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.

Further, this DLL was dissected using Jetbrains dotPeek tool for further review. This Patchbiz.dll wa a C# binary.

On investigating the SQL statements in this binary, the first SQL statement was found to be vulnerable to SQL injection as it used string.Format for inserting the value of goodApp.md5 into the SQL query.

Additionally, the RecordGoodApp function was first called from the AppMonitorAction.RecordPatchIssue is present inside an IF ELSE statement.

Further, the AppMonitorAction.RecordPatchIssue was called by Patch.UpdateActionHistory which was called from three different locations such as LANDesk.ManagementSuite.PatchBiz, LANDesk.ManagementSuite.WSVulnerabilityCore and StatusEvents.

Among these locations, the StatusEvents.EventHandler.UpdateStatusEvents was the most interesting, as it had annotations with [WebMethod] inside the EventHandler class.

This EventHandler class inherits from the System.Web.Services.WebService declares that it can be used to hit UpdateStatusEvents over HTTP.

Triggering The Exploit

As a means of analysing the location of this EventHandler class, an IIS manager was used which provided the exact location of EventHandler.cs that was located in /WSStatusEvents endpoint. Visiting this endpoint provided a list of sample requests and responses.

Further analysis revealed that this endpoint was sent with requests, finally showing one particular request that used the xp_cmdshell.

This xp_cmdshell can execute commands on the system, which can now be used to achieve Remote Code Execution on vulnerable Ivanti EPM.

Horizon3 has released an exploit code to trigger this vulnerability, which is now available on GitHub.

Users can use the MS SQL logs to examine the usage of xp_cmdshell for any malicious purposes.

It is recommended that Ivanti EPM users upgrade their products to the latest version to prevent threat actors from exploiting this vulnerability.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free